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1.0 (U) Analysis Summary 

(S//NF) This is a high-level report / survey of WMI support for malware activity. This report 
uses the malware sample TROJ_WMIGHOST.A as an example of a WMI-based piece of 
malware. The report describes what WMI is and how it works and then goes on to describe how 


TROJ_WMIGHOST.A implements the mandatory pieces of WMI, WMI System Classes, 
necessary to perform its maliciousness. 


(S//NF) The report describes the three basic WMI System Classes: 


=» _EventConsumer (analogous to standard malware executable code) 
» _EventFilter (analogous to standard malware autorun/entry) 
# _FilterToConsumerBinding (analogous to standard malware condition/trigger) 


(S//NF) The report does a very good job of explaining WMI and how malware implements WMI. 
The use of TROJ_WMIGHOST.A highlights the mapping of standard malware constructs to the 
WMI model. However, there are no interesting techniques implemented via WMI discussed in 
this report and therefore no PoCs are recommended. 


2.0 (U) Description of the Technique 

(S//NF) Not applicable as no PoCs are recommended. 

3.0 (U) Identification of Affected Applications 
(U) Windows. 

4.0 (U) Related Techniques 

(S//NF) WMI implementation of standard malware functionality. 

5.0 (U) Configurable Parameters 

(U) Varied. 

6.0 (U) Exploitation Method and Vectors 

(S//NF) No exploitation methods or attack vectors were discussed in this report. 
7.0 (U) Caveats 


(U) Not applicable. 
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8.0 (U) Risks 
(S//NF) Not applicable as no PoCs are recommended. 


9.0 (U) Recommendations 


(S//NF) No PoCs are recommended. 
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